Encrypt360 for a safer world: a technical primer on Hedvig encryption
This week (amongst other things) we introduced encryption into the Hedvig platform! “So what,” I hear you reply. “My existing storage system has done encryption for years!” Fair point. Please read on however because how we’ve implemented encryption – and where – is different, and arguably provides you with greater protection where it matters most. Let me explain.
With Hedvig Distributed Storage Platform 3.0, we’ve introduce Encrypt360. This brings full end-to-end encryption capabilities into our solution. Why I use the phrase end-to-end, as you’ll see, is because Hedvig now enables encryption from the host all the way down to the final storage resting space – and back again – thus the “360” in Encrypt360.
SUPERIOR ENCRYPTION CARE OF THE HEDVIG ARCHITECTURE
Here at Hedvig we often talk about the benefits of our disaggregated architecture, pushing the storage access layer up close to the applications in the form of the Hedvig Storage Proxy to provide intelligent I/O control and acceleration. Now we’ve added an intelligent AES XTS encryption engine into the Hedvig Storage Proxy to give a huge security benefit. Encryption performed at the Storage Proxy allows Hedvig to encrypt data before the I/O even leaves the application host! This means data in-flight is protected from network intrusions that present a security risk.
This feature – like others available in our software-defined storage solution including dedupe, compression, caching, and replication – is set as a per virtual disk (vDisk) policy. It isn’t an all-or-nothing approach to data encryption. If you only want to encrypt a single vDisk and leave everything else unencrypted, then this is absolutely fine. This means you only utilize resources to encrypt the data you deem necessary to protect, minimizing system impact. This also greatly reduces the hardware cost compared to self-encrypting drives!
A quick re-cap of the architecture we use here at Hedvig: Hedvig Storage Nodes, generally built out of commodity x86 resources (servers, virtual machines or cloud resources with attached disk), provide the heavy lifting, scale-out capacity for the storage cluster. The Storage Proxy is a lightweight virtual appliance (or container or agent on a bare-metal server) that sits inside the application host and acts as the protocol converting layer. Because it runs at the app host, it allows Hedvig to do some pretty intelligent stuff before I/O even hits the physical network. This intelligence includes latency and location awareness, local caching, local deduplication, and now encryption.
As I mentioned, lots of storage vendors do encryption, but most do so after data has crossed a network into their array. This means another solution must be responsible for security of data across the network. If this is implemented, it has a negative effect on data reduction through deduplication. With Hedvig, an additional benefit of encryption at the Storage Proxy is that customers won’t sacrifice deduplication efficiency with encryption. Both engines (dedupe and encryption) are operational in the Storage Proxy. We deduplicate I/O before processing encryption. This also makes our caching of encrypted data very efficient, and worth noting that the cached data is kept in encrypted form, so even removal of a proxy SSD won’t be a data breach. For both the deduplication and encryption engines, Hedvig leverages storage acceleration libraries including AES-NI to offload processing to Intel CPUs, minimizing the performance overhead. As we often say, hardware is very important to software-defined technologies!
After encrypted data leaves the physical host and traverses the network, it is written to storage and replicated – all encrypted. With full data encryption at rest, physical or logical direct access to the storage nodes cannot reveal any readable data from encrypted disks.
WHAT ABOUT KEY MANAGEMENT?
Because enterprises often have a pre-existing key management server (KMS), the Hedvig solution is designed to tie into these solutions. This includes a number of trusted KMS solutions including AWS KMS and OpenStack Barbican. When the Hedvig cluster is configured, you simply provide the relevant KMS information to allow Hedvig to request keys for its encryption operations. The solution reduces the number of keys required to be maintained within the KMS by using a master encryption key (MEK) + disk encryption key (DEK) mechanism. This lowers costs if your solution charges a per-key fee. It also enables Encrypt360 to request unique encryption keys, one for each vDisk with encryption enabled, while your master encryption keys are securely maintained and stored only in the trusted KMS.
Encrypt360 is more than just a single feature encryption engine. As outlined above, it safeguards data in-use (at the client-side cache), in-flight (over the network), and at rest (stored to drives on Hedvig cluster nodes) and lets you efficiently manage keys in your favorite KMS. For those who prefer the short and sweet approach, here’s a quick top 10 recap at a simplified, technical level:
- Encrypt360 is configured by policy at the time of vDisk provisioning.
- The Encrypt360 engine only exists on the Storage Proxy.
- Encrypt360 encrypts writes and decrypts reads as they are processed through the Storage Proxy.
- Encrypt360 is cache aware, meaning that data held in the Storage Proxy read cache is also encrypted (in use).
- Data for encrypted vDisks remains encrypted as it is transmitted over the physical network (in flight) including WAN and cloud if a cluster is geographically stretched.
- Data remains encrypted on disk storage (at rest).
- Data is replicated in its encrypted form according to the policy set for the vDisk, which can be across nodes, racks, data centers, and/or clouds.
- Encrypt360 integrates with your chosen Key Management Server (KMS).
- Master encryption keys for Hedvig are securely stored in a trusted KMS.
- Unique encryption keys are requested for vDisks with encryption enabled.
WHY ENTERPRISES NEED BUILT-IN ENCRYPTION
Who cares about encryption? Anyone and everyone really. Here are a few scenarios we have encountered where encryption is a top requirement:
- Enterprises that adhere to governance regulations on data and storage.The Hedvig solutions implements industry recognized algorithms that provide AES 256-bit encryption to FIPS standard. This gives customers auditable evidence of data encryption not to mention peace of mind.
- Enterprises considering a move to IP based storage. Often those who are moving away from Fibre Channel SANs to storage built on IP networks are concerned about the physical security of the network. Encrypt360 alleviates these concerns.
- Enterprises investing in cloud. Hedvig is a hybrid and multi-cloud native platform and many organizations take security very seriously when storing data in the cloud. By providing policy-based encryption, Hedvig enables customers to encrypt and safely store important data in and across private and public clouds.
These are a few of the scenarios Hedvig Encrypt360 is designed to solve. The good news? Encrypt360 has no additional license fees or hardware requirements and no noticeable impact on application performance. Encrypt360 delivers a robust encryption capability that improves your data security end-to-end.